Today, the MSRC released its third annual progress report highlighting advancements of key Microsoft programs designed to help prevent and defend against online threats. The Microsoft programs featured in this paper include the following:

• The Microsoft Active Protections Program (MAPP) and Microsoft Vulnerability Research (MSVR) programs are intended to help protect customers through innovative industry collaboration and information sharing.
• The Exploitability Index provides additional information to help customers better prioritize the deployment of security updates.
• Our approach to Coordinated Vulnerability Disclosure describes how Microsoft – and other software vendors who have adopted a similar approach – wants to work with the finders of software vulnerabilities.

Each of these programs has experienced significant progress over the past year – from the introduction of a revised Exploitability Index rating system to a 29% increase in MAPP program membership. Microsoft will continue to refine these programs based on customer and industry feedback. Full details are available in the report itself – download a copy and get the full story on the MSRC’s progress since Black Hat 2010.

Some highlights from the report:

• MAPP now has 84 security companies participating worldwide, providing protections for hundreds of millions of customers every month.
• The recently revised Exploitability Index rating for security bulletins can help to significantly reduce the need to urgently deploy all security updates.
• Of the 605 Exploitability Index ratings issued from October 2008 to June 2011, only 5 have been revised. Four of those revisions have involved a reduction in the Exploitability Index rating.
• Since July 2010, MSVR has identified and disclosed 109 different software vulnerabilities affecting a total of 38 software vendors in a safe and coordinated manner.
• Software vendors have responded and coordinated on 97 percent of all vulnerabilities reported by MSVR.
• Microsoft’s creation of a Coordinated Vulnerability Disclosure (CVD) process for our employees last year, and publication of supporting documentation in April 2011, has been very well received by customers as evidenced by their testimonials.
• Reaction to the participation of Adobe Systems Inc. in the MAPP program has been very positive as evidenced by our MAPP testimonials:

“Adobe is proud of its continued participation in the MAPP program and pleased with the positive feedback we’ve been getting from MAPP partners. Since the July 2010 MSRC Information Sharing report, Adobe’s participation in MAPP has grown from providing proof of concept documentation for exploits to providing full detection guidance and examples on virtually all Adobe Reader and Flash Player issues.  We are pleased with the results of our participation in MAPP and value MAPP as a great example of companies working together to share information to help protect our mutual customers. Adobe has provided detection guidance to MAPP partners on 14 security updates since we began participating in the program.”

-          Brad Arkin, Senior Director of Product Security and Privacy, Adobe Systems Incorporated

Later this week, many of us will be attending the Black Hat USA conference in Las Vegas. We’ll be at booth #203 in the exhibition hall– if you’re attending, stop by and say hello, and feel free to give your own testimonial at the video booth.

- Mike Reavey

Protecting the general computing ecosystem is a really tough job, and given some of the media headlines, it’s easy to get discouraged and wallow in the problems. It seems like we’re constantly bombarded with statistics measuring the number of bugs, vulnerabilities, or attacks in an attempt to build an accurate “state of the state.” The popular question of late seems to be “Is the ecosystem getting more or less secure?”

In my role, I talk with a lot of customers.  In fact, we had recent meetings on Microsoft’s campus with CSOs from some of the world’s largest companies.  While the topic sometimes starts with the “state of the state” and recent changes in the threat landscape, they always end up in the same place —customers want to discuss and collaborate on solutions, rather than wallowing in the problems.

We’ve collaborated with many of the thousands of brilliant security researchers across the globe over the years, and they’ve helped us improve the security of our products & services.  There are also hundreds of security providers in the industry that we work closely with. In fact, three years ago we took an unconventional approach to security challenges by creating the Microsoft Active Protections Program (MAPP) to help unify this group of defenders.  This program shifted advantage to the good guys by promoting collaboration within the industry, even among competitors, in order to quickly build defensive technologies for over a billion of our shared customers around the world.

The success of that program – which inspired industry collaboration - got us thinking about whether we could do something similar for the security research community. Our goal was to inspire new lines of research in areas that have the most impact and leverage in protecting customers. That means not building incentives to find single bugs, but instead rewarding work on innovative solutions that could mitigate entire classes of attacks.

Today, I am pleased to announce the BlueHat Prize to inspire security researchers to seek innovations in exploit mitigation technologies. This is the first and largest incentive prize ever offered by Microsoft, and possibly the industry, for defensive computer security technology. In the age of increased risk of attacks on personal, corporate and government computer systems, Microsoft recognizes the need to encourage and nurture innovation in the area of exploit mitigations. At Microsoft, we believe in hiring the best and brightest minds in security to help us improve the security of our products and services, but also recognize it will take a “global village” to address today’s security challenges.

With over a quarter million dollars in cash and prizes, Microsoft believes the BlueHat Prize will motivate the community and foster even more collaboration with researchers throughout the security industry. To understand more about this competition, please visit Katie Moussouris’ EcoStrat blog or the BlueHat Prize contest page.

-Matt Thomlinson

Hello,

Today we published the July Security Bulletin Webcast Questions & Answers page. We fielded thirteen questions on various topics during the webcast, including bulletins released, deployment tools, and update detection tools. There were two questions during the webcast that we were unable to answer and we have included those questions and answers on the Q&A page.

We invite our customers to join us for the next public webcast on Wednesday, August 10th at 11am PDT (UTC -7), when we will go into detail about the August bulletin release and answer questions live on the air.

Customers can register to attend at the link below:
Date: Wednesday, August 11, 2011
Time: 11:00 a.m. PDT (UTC -7)
Register: Attendee Registration

Thanks,
Jerry Bryant
Group Manager, Response Communications
Trustworthy Computing Group

Hello all --

Over the years we’ve often talked about exploit mitigations – DEP, ASLR, SEHOP and so forth – as effective tools for improving computer security, reducing risk, preventing attacks, and minimizing operational disruption. Today we’re releasing a user’s guide to the toolbox: “Mitigating Software Vulnerabilities,” a white paper with practical information on choosing and enabling those mitigations. We hope this paper becomes an indispensable reference for developers, IT pros and end users looking for advice and answers concerning exploit mitigations. The paper, which is in PDF format, is available from the Download Center. For more insight, Matt Miller of the Microsoft Security Engineering Center has written about the paper on the SRD blog.

As I previously mentioned in the Advance Notification Blog on Thursday, today we are releasing four security bulletins, one of which is rated as Critical, and three of which are rated Important. These bulletins will increase protection by addressing 22 vulnerabilities in the following Microsoft products. We’ve marked one bulletin, MS11-053, as our highest deployment priority for the month:

• MS11-053 (Bluetooth Stack). This security bulletin resolves one privately reported vulnerability in the Windows Bluetooth Stack. This bulletin is rated Critical for Windows Vista and Windows 7 platforms. All prior versions of Windows are unaffected.

Despite its high deployment priority, we have assigned MS11-053 an Exploitability Index rating of 2. For more information on that decision, please see the SRD blog. We encourage all customers to apply this bulletin first, before deploying the rest of our July updates as soon as possible. Of note, consumers with Automatic Update enabled on their computers will not need to take any action; the tool ensures that the updates are applied and the systems protected.

The SRD blog also has insight from MSRC Engineering concerning MS11-056, an Important-level bulletin addressing five issues in Windows’ client/server runtime subsystem.

In this video, Jerry Bryant discusses this month's bulletins in further detail.

Below is our deployment priority guidance to further assist customers in their deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

More information about this month's security updates can be found on the Microsoft Security Bulletin summary web page.  

Per our usual process, we’ll offer the monthly technical webcast on Wednesday, hosted by Jerry Bryant and Dustin Childs. I invite you to tune in and learn more about the July security bulletins, as well as other announcements made today. The webcast is scheduled for Wednesday, July 13, 2011 at 11 a.m. PDT, and the registration can be found here.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,

Angela Gunn
Trustworthy Computing.

Hello all --

This week we released a special Security Intelligence Reportthat showcases some of the data we amassed in the wake of the big Rustock botnet takedown in the spring of 2010. The new SIR also delves into the diplomacy, secrecy and intellectual property law that all played important roles in the successful international effort that led to the takedown of the Rustock botnet on March 16. This was Microsoft’s second global botnet takedown effort, after Waledac in February, 2011.

In addition, as part of our normal monthly bulletin cadence, we’re providing our Advance Notification Service for July’s security bulletins today. This month we'll release four bulletins, one of them rated Critical and three rated Important, addressing issues in Microsoft Windows and Office. We'll close 22 vulnerabilities with those bulletins.

The bulletin release is once again slated for the second Tuesday of the month – July 12th at 10:00 a.m. PDT. Come back to this blog then for our official risk and impact analysis, as well as deployment guidance and a brief video overview of the month's highlights.

The monthly technical webcast next week will be hosted once again by Jerry Bryant and Dustin Childs. We invite you to tune in and learn more about the new security bulletin releases as well as other announcements to be made on Tuesday. That webcast is scheduled for Wednesday, July 13, 2011 at 11:00 a.m. PDT (UTC -7), and the registration form can be found here.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

Thank you,

Angela Gunn
Trustworthy Computing.